Managing roles

Edit online

Roles are used to specify what actions a user can perform. Roles are assigned to a user (or group, in which case they are inherited by all users in that group). A user or group can have more than one role, in which case they are able to perform any action that at least one of their roles allows.

At least one user must have the admin role, since otherwise any action that requires the admin role (such as creating role assignments) would never be possible. When PowerVC is installed, root is initially assigned the admin role. It is recommended that you assign the admin role to another user (or group) and then remove the admin role assignment from root.

To work with user and group roles, from the Configuration page, click Users and Groups. Only role assignments specific to a project are supported.

Standard roles

These are the commonly assigned roles.

Administrator (admin)
Users with this role can perform all tasks and have access to all resources. Only administrators on the ibm-default project can list, create, and delete projects. Also, the admin user of ibm-default project can set the image visibility of PowerVC images from private to public. Project administrators can create deploy templates using these public or shared images.
Administrator assistant (admin_assist)
Users with this role can perform create and edit tasks but do not have privileges to perform remove or delete operations (for example, delete a virtual machine or a volume, or remove a host or a network, etc.). However, these users can perform all virtual machine, image, and volume lifecycle operations except Delete. The admin_assist users of ibm-default project can set the image visibility of PowerVC images from private to public.

Advanced roles

These roles require a deeper understanding of the product and should only be assigned to advanced users. Each of these roles would only be used in certain situations, for example:
  • If a user needs to write automation to deploy virtual machines, but does not need to perform any other tasks, assign that user Deployer.
  • If a user needs to deploy and manage their own virtual machines, but the user does not need to work with images, storage, or perform infrastructure tasks, such as registering hosts, assign that user Virtual machine manager.
  • If a user needs to deploy and manage virtual machines but also needs to capture and manage images, assign the user both Virtual machine manager and Image manager.
  • If a user needs to work with storage volumes and nothing else, assign that user Storage manager.
  • If a user needs to manage virtual machines that others have created, assign that user Virtual machine manager.
Deployer (deployer)
Users with this role can perform the following tasks:
  • Deploying a virtual machine from an image
  • Viewing all resources except users and groups
Image manager (image_manager)
Users with this role can perform the following tasks:
  • Creating, capturing, importing, or deleting an image
  • Editing description of an image
  • Viewing all resources except users and groups
Storage manager (storage_manager)
Users with this role can perform the following tasks:
  • Creating, deleting, or resizing a volume
  • Viewing all resources except users and groups
Viewer (viewer)
Users with this role can view resources and the properties of resources, but can perform no tasks. They cannot view users and groups.
Virtual machine manager (vm_manager)
Users with this role can perform the following tasks:
  • Deploying a virtual machine from an image
  • Deleting, resizing, starting, stopping, or restarting a virtual machine
  • Attaching or detaching volume
  • Attaching or detaching network interface
  • Editing details of a deployed virtual machine
  • Viewing all resources except users and groups
  • Creating, attaching, detaching, and deleting floating IP addresses
Virtual machine user (vm_user)
Users with this role can perform the following tasks:
  • Starting, stopping, or restarting a virtual machine
  • Viewing all resources except users and groups